Simple Steps to Data Protection
WITH THE PROLIFERATION of personal information collected, it is imperative that organizations take the steps necessary to protect it. Called personally identifiable information (PII), this data can range from customer loyalty information to bank account, Social Security, and driver’s license numbers to passwords, password hints, and health records. Criminals are bent on finding ways to steal and exploit this information.
According to the Privacy Rights Clearinghouse, between January 2005 and mid-April 2008, there were 223,756,043 records containing sensitive personal information involved in security breaches in the United States. Companies that don’t prevent such breaches may find themselves as defendants in lawsuits from corporate shareholders, employees, customers, and other constituents.
Organizations can reduce the risk of data compromise, with the right policies and procedures. Establishing and implementing such a program is straightforward if approached systematically.
Classify the Data
The first move is to identify all of the types of personal data that a company collects and stores. For each data type, it should be decided whether that information genuinely needs to be collected, and if so, whether it needs to be stored.
After the list of necessary data types is refined, a hierarchy should be created of data everyone can see, data some people can see, and data only a few people can see—a system not unlike what the government uses to classify documents. For example, the company may decide to allow all employees to view customers’ first and last names, but it may restrict addresses and phone numbers so that only some employees can view those. It may allow only a select few employees with the highest security clearance to view Social Security numbers.
In a healthcare organization, all employees may be able to access patient contact information, but only the accounting department employees may be able to view patient financial information; patient medical files would be limited to medical personnel.
Track Its Journey
After the data is classified, the next step is to find where it enters, where it goes, and where it ends up. Toward that end, the company must first identify all portals through which the data enters. For example, entry points might be corporate headquarters, a Web site, stores, kiosks, call centers, regional offices, and mobile computing devices.
The next question is: Where does the data go after it enters through a portal? The flow of confidential consumer information should be tracked through the organization to locate where existing PII data resides. It could be in databases on servers, on user desktop and laptop PCs, within e-mail messages or attachments, archived electronically on various media, or stored throughout the company in hard copy.
Finding PII wherever it ultimately resides is easier said than done, because the PII may be hidden amid other non-PII data. While it may be easy to locate birth dates, for example, within a file if the column is labeled “birth date,” it is difficult to identify this information in a column labeled “User 6.”
Unfortunately, it is common for companies to have data contained in fields that are not labeled with obvious names, because many older applications do not have designated fields for storing all of the personally identifiable information now required by many businesses. The challenge is to identify this information even when the field is not labeled clearly. Moreover, when searching a desktop or laptop hard drive, IT needs to locate PII within spreadsheets and Word documents.
In a retail operation, for example, the data location utility will need to be distributed to each store to locate PII data residing on point-of-sale terminals and in-store servers as well as within the corporate headquarters. The types of information that may be found at the stores are customer names and contact information, credit or debit card numbers, and customer loyalty information. Some companies have a data warehouse that stores all customer information obtained through their stores and Web sites, along with the employee PII maintained by the HR and finance departments.
Some newer software utilities can help to ease the arduous process of locating existing PII. These utilities, often bundled within Data Loss Prevention applications, scour the insides of a network’s applications and databases to locate this information. In addition to locating where PII data hides, the application should also provide audit information back to a central reporting application, which logs where the PII information was found.
Conduct a Gap Analysis
Once all PII that resides in an enterprise is identified, a gap analysis should be conducted. The company should review what has been located and assess the risk exposures. The next step is to determine what changes need to be made to secure the PII appropriately. This “risk” or “task” list will help IT determine how to prioritize as it goes forward.
For example, a company may decide to encrypt the easiest-to-secure information first, which might account for 80 percent of its confidential consumer data. On the other hand, the risk analysis might show that it is more critical to first encrypt the 20 percent of data that will take longer to secure because it presents the greatest exposure. There is no right answer that fits every organization, but by conducting the analysis, the company can assess its own situation and make an informed decision.
Establish Procedures
The next step is to establish policies and procedures to ensure that the vulnerabilities identified are removed and that new data is handled so as not to re-create these exposures.
For example, the policies and procedures should specify when paper documents with PII must be retained, how they should be stored, and for how long. The procedures might state that PII documents be stored in locked file cabinets; there would also be policies and procedures in place to prevent unauthorized people from gaining access to the files. The policy should similarly address how PII documents should be discarded.
If a company scans hard-copy documents, these electronic versions should be encrypted just like any other electronic file. Once these documents are scanned, they should be shredded rather than filed.
Electronic PII protections should focus on access controls while the data is in transit and at rest. These policies and procedures should address encryption, archiving, and destruction issues.
The company should look at all possible exposures in establishing policies. For example, a bank policy should address what happens to incomplete forms or rejected loan applications, because such documents tossed into a trashcan can be retrieved and the data stolen.
A company should also address mobile devices. Many companies are now requiring a login on BlackBerry devices that forces employees to log back on if they haven’t used their BlackBerry for 30 minutes. (For more on mobile device data protection, see companion article in this Special Focus, page 86).
Training
Policies and procedures are only as good as the people responsible for carrying them out. Securing PII, therefore, also requires changes in employee education to ensure not only a knowledge of the processes but also a heightened awareness of the need to follow them.
While most security breaches are internal, these breaches are usually not caused by disgruntled or dishonest employees. Most internal security breaches are accidental. For example, a laptop might be lost or stolen. Making employees aware of the risks surrounding data on a laptop is as important as implementing policies to protect the laptop and the data on it.
Employee education on information security policies might include basic, commonsense warnings such as instructing them not to write their passwords on a sticky note and then attach it to their computer monitors, not to share their passwords with others, and to lock keyboards when away from their desks.
Many companies offer licensed computer-based, Web-based, or on-site security best-practices training for employees. These courses can often be customized to fit specific needs. Regular refresher training for employees should also be held.
Implementation
Ultimately, it comes down to making sure that the security plans can be implemented in the real-world context of information management. There can be surprises and barriers along the way. For example, many IT managers thought it would be easy to encrypt credit and debit card data to comply with the payment card standard called PCI DSS. In reality, it has been hard to deal with encryption key management, which involves maintaining the keys used by authorized employees to encrypt and decrypt the data wherever it resides throughout the organization.
Here’s an illustration of the problems that arise: To verify a client’s identity, an online brokerage house account representative may be restricted to viewing the last four numbers of a person’s Social Security number or the person’s year of birth but not the month and day. This means that a company must have encryption and decryption keys authorized for use as defined by the user’s role within the organization. Some keys will have expiration dates and others will have effective dates. Poor management of the keys across their lifecycle can create a new set of security vulnerabilities and can introduce the risk that confidential PII information data will be inaccessible to those authorized to see and use it.
There are best practices in key management that may help, such as centralizing user profiles for authentication and access to keys; not requiring decryption/reencryption for key rotation or expiration; keeping comprehensive logs and audit trails; using a single solution to support field, file, and database key management; and having support for third-party integration, such as point-of-sale terminals. Additionally, the use of a data security application that provides unified key management with these best practices built in can make the process easier.
Ongoing Process
PII security should not be viewed as a one-time event. It needs to be continually monitored, audited, and revised. In some cases, as with PCI DSS, annual audits are required. But even for companies that are not under such a mandate, the onus is on them to vigilantly protect the PII.
Third-party sources can be used to help IT stay current with PII theft trends and methods, to teach IT new methods and applications to prevent breaches, and to keep IT current on laws and mandates. One source for information is the International Association of Privacy Professionals
Locating and securing existing PII information can be challenging. Fortunately, taking a systematic approach to solving the problem and investing in the right technology will ease the process, and the consumer trust that results from these security measures is invaluable.
Gary Palgon is vice president of product management for nuBridges, Inc. He is a frequent contributor to industry publications and a speaker at conferences on security issues and solutions.